
CVE-2025-27819 – Apache Kafka: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration
https://notcve.org/view.php?id=CVE-2025-27819
10 Jun 2025 — In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. • https://kafka.apache.org/cve-list • CWE-502: Deserialization of Untrusted Data •

CVE-2025-27818 – Apache Kafka: Possible RCE attack via SASL JAAS LdapLoginModule configuration
https://notcve.org/view.php?id=CVE-2025-27818
10 Jun 2025 — A possible security vulnerability has been identified in Apache Kafka. This requires access to a alterConfig to the cluster resource, or Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, which has been possible on Kafka clusters since Apache Kafka 2.0.0 (Kafka Connect 2.3.0). This requires access to a alterConfig to the cluster resource, or Kafka Connect worker, and the ability to create/modify c... • https://kafka.apache.org/cve-list • CWE-502: Deserialization of Untrusted Data •

CVE-2025-1041 – Avaya Call Management System RCE vulnerability
https://notcve.org/view.php?id=CVE-2025-1041
10 Jun 2025 — An improper input validation discovered in Avaya Call Management System could allow an unauthorized remote command via a specially crafted web request. Affected versions include 18.x, 19.x prior to 19.2.0.7, and 20.x prior to 20.0.1.0. An improper input validation discovered in Avaya Call Management System could allow an unauthorized remote command via a specially crafted web request. Affected versions include 18.x, 19.x prior to 19.2.0.7, and 20.x prior to 20.0.1.0. • https://support.avaya.com/css/public/documents/101093084 • CWE-20: Improper Input Validation •

CVE-2025-43574 – Acrobat Reader | Use After Free (CWE-416)
https://notcve.org/view.php?id=CVE-2025-43574
10 Jun 2025 — Acrobat Reader versions 24.001.30235, 20.005.30763, 25.001.20521 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. ... This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. ... An attacker can leverage this vulnerability to execute code in the context of the current process. • https://helpx.adobe.com/security/products/acrobat/apsb25-57.html • CWE-416: Use After Free •

CVE-2025-47112 – Acrobat Reader | Out-of-bounds Read (CWE-125)
https://notcve.org/view.php?id=CVE-2025-47112
10 Jun 2025 — An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. • https://helpx.adobe.com/security/products/acrobat/apsb25-57.html • CWE-125: Out-of-bounds Read •

CVE-2025-5395 – WordPress Automatic Plugin - AI content generator and auto poster plugin <= 3.115.0 - Authenticated (Author+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-5395
10 Jun 2025 — The WordPress Automatic Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'core.php' file in all versions up to, and including, 3.115.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/wordpress-automatic-plugin/1904470#item-description__changelog • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-32714 – Windows Installer Elevation of Privilege Vulnerability
https://notcve.org/view.php?id=CVE-2025-32714
10 Jun 2025 — An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Windows Installer service. ... An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32714 • CWE-284: Improper Access Control •

CVE-2025-4799 – WP-DownloadManager <= 1.68.10 - Authenticated (Administrator+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-4799
10 Jun 2025 — The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file deletion due to lack of restriction on the directory a file can be deleted from in all versions up to, and including, 1.68.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://plugins.trac.wordpress.org/browser/wp-downloadmanager/trunk/download-manager.php#L215 • CWE-36: Absolute Path Traversal •

CVE-2025-33075 – Windows Installer Elevation of Privilege Vulnerability
https://notcve.org/view.php?id=CVE-2025-33075
10 Jun 2025 — An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Windows Installer service. By creating a symbolic link, an attacker can abuse the service to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33075 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •

CVE-2025-47959 – Visual Studio Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-47959
10 Jun 2025 — Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an authorized attacker to execute code over a network. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Visual Studio. ... An attacker can leverage this vulnerability to execute code in the context of the current user. • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47959 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •